[Image Builder][osbuild] Cannot install some packages due to a gpg error
Environment
- Red Hat Enterprise Linux 10.1
osbuild-composerimage-builder
Issue
Composing an image-installer fails with:
Pipeline: anaconda-tree
Stage: org.osbuild.rpm
Output:
Failed to open file "/sys/fs/selinux/checkreqprot": Read-only file system
imported gpg key
Signature check failed on sha256:64a27e906cbec0c59108600ccfc0ca7bc6bd4ac5b2641422b9acc7fec9588bc1, lookup package name in manifest.
Traceback (most recent call last):
File "/run/osbuild/bin/org.osbuild.rpm", line 260, in <module>
r = main(args["tree"], args["inputs"], args["options"])
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/run/osbuild/bin/org.osbuild.rpm", line 162, in main
subprocess.run([
File "/usr/lib64/python3.12/subprocess.py", line 571, in run
raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['rpmkeys', '--root', '/run/osbuild/tree', '--checksig', 'sha256:64a27e906cbec0c59108600ccfc0ca7bc6bd4ac5b2641422b9acc7fec9588bc1']' returned non-zero exit status 1.
NOTE: the pipeline may change, but this is the same error. The sha256 above corresponds to the ipmitool package that is stored in the osbuild-worker's cache:
# rpm -qp --qf '%{name}-%{version}-%{release}\n' /var/cache/osbuild-worker/osbuild-store/sources/org.osbuild.files/sha256:64a27e906cbec0c59108600ccfc0ca7bc6bd4ac5b2641422b9acc7fec9588bc1
ipmitool-1.8.19-10.el10_1
Resolution
The issue has been fixed for building 10.1 distro only: osbuild-composer-149-4.el10_1.x86_64
https://access.redhat.com/errata/RHSA-2026:1837
If the issue persists, ensure your blueprint points to the latest minor release 10.1, as it remains a bug since the `rhel-10.json" file has not been updated with the PQC key.
distro = "rhel-10.1"
The issue also occurs while trying to build a RHEL 9.7 image from a RHEL 10.1 host, with osbuild-composer as well as image-builder. The workaround is to create an override with check_gpg = false (see the rhel-9.7.json attachment).
Workarounds
The idea is to create a repository override and append the 3rd and last key from /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release to the appstream "gpgkey" value.
1/ For osbuilder-composer
-
Copy the "rhel-10.1.json" and "rhel-9.7.json" repo overrides attached to this article to
/etc/osbuild-composer/repositories:mkdir -p /etc/osbuild-composer/repositories cp rhel-10.1.json rhel-9.7.json /etc/osbuild-composer/repositories/ -
And then restart the composer service.
systemctl restart osbuild-composer
2/ For image-builder
The idea is the same, you need to point to the repository overrides directory explicitly with:
image-builder --data-dir <DIRECTORY_WITH_CUSTOM_REPO_JSON>
Root Cause
Default keys provided in osbuild-composer does not embed the last "Post-Quantum Cryptography" key provided in /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release (release key 4):
# rpmkeys --list
fd431d51-4ae0493b: Red Hat, Inc. (release key 2) <security@redhat.com> public key
5a6340b3-6229229e: Red Hat, Inc. (auxiliary key 3) <security@redhat.com> public key
05707a62-68e6a1f3: Red Hat, Inc. (release key 4) <security@redhat.com> public key <<<
The bug was tracked by the following Jira: https://issues.redhat.com/browse/RHEL-141620
Two other bugs are still open: https://redhat.atlassian.net/browse/RHEL-156835 and https://redhat.atlassian.net/browse/RHEL-142993
Note this bug affects ANY package signed with this new "release key 4"
Attachments
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments